Bug 1175188

Summary: selinux blocks slapd access to cracklib
Product: Red Hat Enterprise Linux 7 Reporter: David Spurek <dspurek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: ebenes, lmiksik, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-15.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1195733 (view as bug list) Environment:
Last Closed: 2015-03-05 10:47:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1195733    

Description David Spurek 2014-12-17 10:08:57 UTC 
Description of problem:
selinux blocks slapd access to cracklib. opendlap server may use pwdChecker module that needs access to cracklib when user changes its password.

I see following avcs in permissive mode:
time->Wed Dec 17 05:00:20 2014
type=SYSCALL msg=audit(1418810420.243:29794): arch=c000003e syscall=2 success=no exit=-13 a0=7f3205ab9bb0 a1=0 a2=1b6 a3=1 items=0 ppid=1 pid=24628 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm="slapd" exe="/usr/sbin/slapd" subj=system_u:system_r:slapd_t:s0 key=(null)
type=AVC msg=audit(1418810420.243:29794): avc:  denied  { search } for  pid=24628 comm="slapd" name="cracklib" dev="dm-0" ino=139189 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir
time->Wed Dec 17 05:03:35 2014
type=SYSCALL msg=audit(1418810615.493:29838): arch=c000003e syscall=2 success=yes exit=20 a0=7f0ad9764bb0 a1=0 a2=1b6 a3=1 items=0 ppid=1 pid=26496 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm="slapd" exe="/usr/sbin/slapd" subj=system_u:system_r:slapd_t:s0 key=(null)
type=AVC msg=audit(1418810615.493:29838): avc:  denied  { open } for  pid=26496 comm="slapd" path="/usr/share/cracklib/pw_dict.hwm" dev="dm-0" ino=139196 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file
type=AVC msg=audit(1418810615.493:29838): avc:  denied  { read } for  pid=26496 comm="slapd" name="pw_dict.hwm" dev="dm-0" ino=139196 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file
----
time->Wed Dec 17 05:03:35 2014
type=SYSCALL msg=audit(1418810615.493:29839): arch=c000003e syscall=5 success=yes exit=0 a0=15 a1=7f0ad9762d30 a2=7f0ad9762d30 a3=7f0ad9762c20 items=0 ppid=1 pid=26496 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm="slapd" exe="/usr/sbin/slapd" subj=system_u:system_r:slapd_t:s0 key=(null)
type=AVC msg=audit(1418810615.493:29839): avc:  denied  { getattr } for  pid=26496 comm="slapd" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-0" ino=139198 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-12.el7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2015-01-09 13:59:48 UTC 
commit 82a13a5c7c05da576e1721063b1d5e0082017f18
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 9 14:59:05 2015 +0100

    Allow slapd to read /usr/share/cracklib/pw_dict.hwm.
Comment 7 errata-xmlrpc 2015-03-05 10:47:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html